Apache Backdoor Leads to Blackhole

Monday, April 29, 2013 @ 03:04 PM gHale

There is an ongoing attack where the bad guys are using compromised Apache HTTP binaries to redirect users to malicious sites that have the Blackhole exploit kit waiting for them.

Rather than going the traditional route of injecting malicious code onto target Web sites, this attack crew is replacing the existing Apache binary with a compromised one that contains a sophisticated backdoor.

The backdoor, which researchers are calling Linux/Cdorked, doesn’t write any files to disk and instead uses shared memory as a means of maintaining its presence on the machine. The lack of information left on infected machines makes life difficult for researchers trying to analyze the attack, but what experts have come up with so far shows there could be as many as several hundred infected servers at this point.

“The backdoor leaves no traces of compromised hosts on the hard drive other than its modified httpd binary, thereby complicating forensics analysis,” said Pierre-Marc Bureau of ESET, which has done analysis of the attack. “All of the information related to the backdoor is stored in shared memory. The configuration is pushed by the attacker through obfuscated HTTP requests that aren’t logged in normal Apache logs. This means that no command and control information is stored anywhere on the system.”
http://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/

“The HTTP server is equipped with a reverse connect backdoor that can be triggered via a special HTTP GET request,” he said. “It is invoked when a request to a special path is performed with a query string in a particular format, containing the hostname and port to connect. The client IP of the HTTP dialog is used as a key to decrypt the query string as a 4 byte XOR key.”

The Linux/Cdorked backdoor leaves little to no trace on compromised machines. One other aspect is the attackers can completely replace the Apache HTTP binary as part of the attack.

The attackers in this case took the more difficult route, opting to compromise the Web server itself and then fully replace the Apache binary. How they’re compromising the servers to begin with is also still a question. Researchers at Sucuri, who also analyzed the attacks, said the attackers may be using brute-force attempts on SSH servers as an initial entry point. Once the attackers have the malicious binary on a target server, they appear to be using them selectively. The malicious redirects are only served to each IP address once a day, and the sites from which the binary loads the malicious code appear to be random URLs.

“Once the malware is loaded it will redirect the site to spammy sites. On some cases we also saw the redirection going to the Blackhole Exploit kit,” said Daniel Cid, CTO of Sucuri.

The backdoor has a list of almost two dozen commands the attacker can use, and these are sent to the compromised server via an HTTP POST request, Bureau said.

“The request must also contain a cookie header starting with “SECID=”. The query string value must hold 2 hex encoded bytes that are encrypted with the client IP, using the same technique as the shell. The SECID cookie data will be used as arguments to some of the commands. We believe that the URLs to redirect clients are sent to the backdoor using this method. The redirection information will be stored encrypted in the allocated shared memory region. We also believe that the conditions for redirection are set this way, for example, a white list of user agents to redirect can be preconfigured and a black list of IPs to avoid redirection,” Bureau said.